Painless script regex

Boris_Boris · March 16, 2021, 8:16pm

I have a event.original field -> type String.
"2021-03-15T16:11:12.333659+00:00 10.10.252.2 id=firewall sn=xx time=2021-03-15 16:11:12 UTC fw=8.8.8.8 pri=5 c=256 m=38 msg=ICMP packet dropped due to Policy proto=icmp type=3 icmpCode=3"

I want to extract scripted field with regex.

if(!doc['event.original'].empty)
 {
 String s = doc['event.original'].value;
 String clr = s.replace("\"","");


 if ( clr =~ /(?<=msg=)\w+/ ) {
  return "matc"
 } 
 else {
  String test = doc['event.original'].value;
  String test1 = test.replace("\"","");
  return  test1 
 }
}

This script returned "matc"
But when i try to return value with:

if(!doc['event.original'].empty)
 {
 String s = doc['event.original'].value;
 String clr = s.replace("\"","");
 def m = /(?<=msg=)\w+/.matcher(clr);

 if ( m.matches()  ) {
  return "matc"
 } 
 else {
  return  "not matched"
 }
}

This returns "not matched"
so i can't use scriptied field with value of "ICMP packet dropped due to Policy"

Boris_Boris · March 17, 2021, 12:32pm

problem resolved by using m.find()

system · April 14, 2021, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.